Fuzz testing

1
Fuzz testing

• Eerik Till

2
Agenda

• Introduction
• Methodology
• Types
• Techniques
• Phases
• Technologies
• SQL fuzzing
• Conclusions

3
Intended use? Assumptions made?
4
Fuzz testing

• Black box software testing technique.
• Injects malformed or semi-malformed data in an
  automated way in order to find implementation
  bugs.
• Purpose send anomalous data to a system in order
  to crash it and reveal its reliability problems.
• Developed at the University of Wisconsin Madison
  in 1989 by Professor Barton Miller and his
  students.

5
Fuzz testing methodology
6
Fuzzer types

• Static and random template-based
• Test request-response protocols or file formats.
• Block based
• May contain some rudimentary dynamic
  functionality.
• Dynamic generation or evolution based
• Learn protocols based on feedback loop.
• Model-based or simulation-based
• Implement the tested interface either through a
  model or a simulation.

7
Types of fuzzing

• Application fuzzing
• Attack vectors are within I/O.
• Protocol fuzzing
• Sending forged packets to application.
• File format fuzzing
• Generates multiple malformed samples, and opens
  them sequentially.

8
Fuzzing techniques

• Session data fuzzing
• The simplest because it transforms legal data
  incrementally.
• Specialised fuzzing
• Target specific protocols, such as SMTP, FTP, SSH
  and SIP.
• Second generation fuzzing
• Allows the user to define the packet type, the
  protocol and the elements within it.

9
Session data fuzzing, SMTP

• mail from sender_at_testhost
• This would then be sent in the following forms to
  see what effect they have
• mailmailmailmail from sender_at_testhost
• mail fromfromfromfrom sender_at_testhost
• mail from sender_at_testhost
• mail from sendersendersendersender_at_testhost
• mail from sender_at__at__at__at_testhost
• mail from sender_at_testhosttesthosttesthosttesthost

10
Peach is a Smart Fuzzer that is capable of
generating a protocol from scratch or mutating an
existing protocol.
11
Buffer overflow
12
General fuzzing phases

• Identify target
• Relational database engine
• Identify inputs
• SQL interface of the DBMS
• Generate fuzzed data
• Execute fuzzed data
• Send SQL statements to server
• Monitor for exceptions
• Crashes, resource usage, etc.
• Determine exploitability

13
Fuzzing tool for SQL

• Automated test-case generators
• Simple tools that automatically generate tests.
• SQL token fuzzer
• Used in the fuzzed data generation phase.
• Fuzzer driver
• In charge of putting together the output of the
  other two modules and executing SQL statements.

14
SQL fuzzing modules
15
Resulting iterations

• SELECT FROM C96t_at_s?IrCzbi8J6dpDm
• WHERE user_name N'Bob'
• EXEC sp_demo N'Bob', '06/29/2009 1145AM'
• SELECT FROM MyTable
• WHERE user_name N'OSAj'
• EXEC sp_demo N'OSAj',
• '06/29/2009 1145AM'
• SELECT FROM w0ehI9Bn7TD6ED5b.I9IIEUf
• WHERE user_name N'Alice'
• EXEC sp_demo 'Alice', '7461-IV-15 8493 '

16
Interesting technologies for fuzzers

• Next Generation Networks (NGN), such as VoIP and
  IPTV
• IPv6 and related protocols
• Wireless protocols
• Industrial SCADA networks
• Vehicle Area Networks (VAN)

17
Conclusion

• From the QA perspective it offers a very
  effective way to discover flaws early.
• For attackers it presents a way to penetrate
  black box servers that would otherwise be
  difficult to penetrate.
• Trade-off between increasing the security and
  financial considerations may start to affect the
  reliability of software.
• Post-release bug fixes are 10-100x more expensive.

18
More information

• Something to begin with
• https//www.owasp.org/index.php/Fuzzing
• http//www.infosecinstitute.com/blog/2005/12/fuzze
  rs-ultimate-list.html
• http//pages.cs.wisc.edu/bart/fuzz/

19
References

• Chickowski, E. Built-in security. 2008.
• Garcia, R. Case Study Experiences on SQL
  Language Fuzz Testing. 2009.
• Jenik, A. Fuzzing tools making sense out of
  nonsense. 2009.
• Kim, H. C. Choi, Y. H. Lee, D. H. Efficient file
  fuzz testing using automated analysis of binary
  file format. 2010.
• Naraine, R. Microsoft Office under siege. 2006.
• Takanen, A. Fuzzing for the masses. 2008.
• https//www.owasp.org/index.php/Fuzzing

20
Thank you for your attention!

• Questions?